[Standards] UPDATED: XEP-0257 (Client Certificate Management for SASL EXTERNAL)

Peter Saint-Andre stpeter at stpeter.im
Thu Feb 12 21:52:11 UTC 2009


Alexey Melnikov wrote:

> 2). In Section 3 the following text was added:
> 
>> If the subjectAltName contains a full JID the server MUST force the
>> client to use the given resource during resource binding. The client
>> is only allowed to use the provided resource name. If a client with
>> the same resource name is currently logged in and that client is not
>> forced to use that resource name, it SHOULD be logged out by the server.
> 
> I am not entirely sure what this text is trying to achieve.

As I understand it from talking with Dirk at the XMPP Summit, this text
is trying to achieve lockdown of resource identifiers. So for instance I
could say that the full JID for a certificate is "me at myserver.tld/TV"
(my set-top box) and another is "me at myserver.tld/DVR" (my digital video
recorder) or whatever. My DVR can't log in as my TV and my TV can't log
in as my DVR. You could think of these as "user" accounts with few
permissions, whereas an "admin" account could log in as any of those
resources. But probably Dirk can explain it more accurately.

> However this brings an interesting question: if the uploaded certificate
> has a JID in the subjectAltName, then I think the JID MUST correspond to
> the user's account for which it was uploaded.

Certainly.

/psa
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6751 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.jabber.org/pipermail/standards/attachments/20090212/3d81e431/attachment.bin>


More information about the Standards mailing list